C S 4 8 3 – S D S E C T I O N

B Y D R . D A N I YA L A L G H A Z Z AW I ( 7 )

AUTHENTICATION

Introduction

There are two primary parts to access control:

 Authentication

 Authorization

Authentication deals with the problem of

determining whether a user (or other entity) should be allowed access to a particular

system or resource.

Authentication Methods

The human can be authenticated to a

machine based on any combination of the following:

1. Something you know e.g. Password

2. Something you are e.g. Fingerprint

3. Something you have e.g. ATM card

1. Something You Know - Passwords

Password is:

 something that you know

 something that computer can verify that you know

 something nobody else can guess-even access to unlimited computing resources.

One important fact regarding passwords is that many things act as password.

 E.g. the PIN number for an ATM card

One solution to the password problem would be use randomly generated cryptographic

keys in place of passwords. How?

Keys Versus Passwords

If a password is 8 characters long (8 bytes) with 256 possible choices for each character

 256⁸ possible passwords.

 E.g. password

If a key with 64-bit (8 bytes) cryptographic key  2⁶⁴ possible keys. (Trudy must try 2⁶³ keys before she expects to find the correct one)

 E.g. Kf&Yw!a[

Although 2⁶⁴ = 256⁸ (8 bytes), and this

appears to be equivalent, users don’t select passwords at random because users must remember their passwords.

Choosing Passwords



Some passwords better than others. For

example the following passwords are weak:

 Frank (your name)

 10251960 (your birthday)



Users should have passwords that are difficult to guess:

 jFiEk(43j-EmmL+y

 BedL1ON

Attacking Systems via Passwords

A common attack path for Trudy would be:

outsider normal user administrator

One weak password on a system –or one

week password on an entire network- could be enough for the first stage of the attack to succeed.

Password Verification

 Problem:

 Storing “raw” passwords is not secure

 Solution:

 Storing hashed passwords is more secure.

Password Verification

 Problem:

1. Suppose Trudy has a “dictionary” containing N passwords:

d₀, d₁, d₂, …, d_N-1

she could pre-compute the hash of each password:

y₀=h(d₀), y₁=h(d₁), y₂=h(d₂), …, y_N-1=h(d_N-

1)

2. Trudy can guess the password p if she found h(p) is similar to one of the pre-compute hash y_x

 Soulution:

1. generate a random salt value s (Note: the s is not secret)

2. compute y = h(p,s)

3. store the pair (s,y) in the password file.

4. To verify an entered password z, compute h(z,s) = y

Math of Password Cracking

Supposed that:

 All passwords are eight characters in length

 there are 256 choices for each character

resulting in

 256⁸ = 2⁵⁶ possible passwords

Number of possible choices in each cell (byte/bit/…)

Number of cells (byte/bit/…)

2

⁵⁶

2 56

Math of Password Cracking

Case I:

Trudy decides that she wants to find Alice’s password.

(Assuming that Alice’s password contains of 8 bytes)

This is precisely equivalent to an exhaustive key search and the expected work is

2⁵⁶/2=2⁵⁵

Math of Password Cracking

Case II:

Trudy again wants to recover Alice’s password, but she is going to use her dictionary of common passwords.

(Assuming that any given password will

appear in the dictionary with a probability of about ¼, and Trudy has a dictionary of 2²⁰

common passowords) The expected work is:

¼(2¹⁹)+¾(2⁵⁵)≈2^54.6

Math of Password Cracking

Case III:

Trudy will be satisfied to find any one of the 1024 passwords in the hashed password file without using any dictionary

(Assuming that the password file contains 2¹⁰

= 1024 hashed passwords, and all of them are distinct)

The expected work is:

2⁵⁵/2¹⁰ = 2⁴⁵

Math of Password Cracking

Case IV:

Trudy wants to find anyone of the 1024

passwords in the hashed password file, and she will make use of her dictionary.

The expected work is:

 Not salted password:

2¹⁹ / 2¹⁰ = 2⁹

 Salted password:

¼(2¹⁹)+ ¾.¼(2²⁰+2¹⁹)+(¾)² ¼(2.2²⁰+2¹⁹)+ … + (¾)¹⁰²³ ¼(1023.2²⁰+ 2¹⁹) < 2²²

Other Password Issues/Problems

Remembering different passwords is difficult

“Social engineering” is when someone

claiming to be a system administrator and needs your password

Password cracking tools, such as:

 L0phtCrack (for Windows) - now called LC5:

used to test password strength and sometimes to

recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks.

 John the Ripper (for Unix)

run against various encrypted password formats including DES, MD5, Blowfish, Kerberos AFS, and Windows NT/2000/XP/2003 LM hash

2. Something You Have - Biometrics

Biometrics are the “something you are”

method of authentication or, in Schneider's immortal words, “you are your key”

There are many different types of biometrics as fingerprints and handwritten signatures.

Biometrics



A biometric should be

 Universal: The ideal biometric should apply to virtually everyone.

 Distinguishing: The ideal biometric should distinguish with virtual certainty.

 Permanent: The physical characteristic being measured should never change.

 Collectable: The physical characteristic should be easy to collect without any potential to cause harm to the subject.

 Reliable, robust, and user-friendly

Biometrics Usage

1. Identification:

 Identify the subject from a list of many possible subjects.

 E.g., a suspicious fingerprint from a crime scene is sent to the FBI fingerprint database for comparison with all records on file. In this case, the comparison is one to many.

2. Authentication:

 The comparison is one to one

 E.g., if someone claiming to be Alice uses a thumbprint mouse biometric, the captured thumbprint image is only compared with the stored thumbprint of Alice.

Phases of Biometric System

1. The Enrollment Phase:

subjects have their biometric information entered into a database.

2. The Recognition Phase:

subjects have their biometric information entered into a database.

Biometric Examples

1. Fingerprints

2. Hand Geometry

3. Iris Scan

Biometric Error Rates

For fielded fingerprint biometric systems, the equal error rate is typically about 5%

hand geometry has an equal error rate of about 10⁻³

3. Something You Have

For example,

 a network MAC address

 an ATM card

 a password generator

The process of a password generator is shown below:

Two-Factor Authentication

Two or three methods can work together for authentication

For example:

the password generator scheme requires both:

1. “something you have” (the password generator), and

2. “something you know” (the PIN).

Requiring two out of the three methods of authentication is known as two-factor

authentication.